Android Permissions System Vulnerabilities and Possible Workarounds
Many of you must have read very concerning news or a study presented at PrivacyCon 2019 (jump to 2:16:28) on how more than 1,300 Android apps including popular apps with the hundreds of millions of users harvest private data even after you deny permissions. The apps are exploiting android permission model and gather information such as geolocation, the persistent user or device IDs (particularly IMEI and device MAC address), BSSID without user consent.
Researchers built a pipeline to identify if apps are transmitting sensitive data without having corresponding access permission. The investigation revealed the most common SDKs from Baidu, Salmonads, Unity, OpenX used in popular apps, Shutterfly app are leveraging file system vulnerabilities, Covert, Side channels attacks to extract sensitive user data.
Android Q which is currently in Beta 5 and planned for production release in Q3 2019 will address many issues. While Android Q Scoped Storage and Privacy changes will definitely help, it still leaves many current-generation Android phone users who won’t get the Android Q update.
Lets more closely look at channel attacks and possible workarounds.
Covert Channels
Third-party libraries provided by two Chinese companies Baidu, Salmonads which are used in many popular applications are leveraging READ_PHONE_STATE permission from allowed application (Popular App - B) to gather IMEI info which is in turn shared with other applications (Popular App A) through file (/sdcard/backups/.SystemConfig/.cuid2) on SD card acting as Covert channel. SDK (Popular App A) with Internet permission share IMEI info with Baidu servers.
Workaround
Android Q Scoped Storage will restrict usage of SD Card as covert channel, READ_PRIVILEGED_PHONE_STATE privileged permission will provide additional security and third-party library providers should address the issue in upcoming releases. Meanwhile, app developers using vulnerable SDKs after consultation with providers can think of application hot-fix which will delete/edit content of below files
Baidu — /sdcard/backups/.SystemConfig/.cuid2
Salmonads — /sdcard/.googlex9/.xamdecoq0962
created by SDKs containing sensitive IMEI data and monitor files using FileObserver for any further changes. Also please refrain from using updated versions from third-party libraries until the resolution is validated as per dynamic/hybrid analysis mentioned in the report.
Side Channels
Shutterfy app (com.shutterfy) sends precise geolocation data to its own server (apcmobile.thislife.com) without holding location permission. App sent photo metadata from the photo library, which included the phone’s precise location in its exchangeable image file format (EXIF) data to their server.
Unity opens a network socket and uses an ioctl (UNIX “input-output control”) to obtain the MAC address of the WiFi network interface. While OpenX was exploiting side channel to gather and share router mac address BSSID, IP address for inferring user location using /proc/net/arp table.
Workaround
Users could restrict location storage as EXIF metadata in Camera app settings. Also, EXIF data editor/cleaner can be used to remove the location of photos.
In general, firewall (NoRoot, NetGuard) apps can be used by users to monitor and restrict suspicious traffic.
Finally, review your app with AppCensus for privacy breaches. Before integrating any new third-party SDK and libraries carefully observe privacy behavior for covert and side channel attacks.
